March Cyber Threat Download™

Each month, the Pondurance team of experts in threat intelligence, incident response, security operations, vulnerability management, and compliance share insights with our clients and partners to help them stay on top of recent trends in cybersecurity and take action to prevent harm to their organizations. Please feel free to share this information with colleagues and other interested parties on social media. 

Ransomware activity

Ransomware still ranks as a top threat. The digital forensics and incident response (DFIR) team discussed a ransomware incident that was discovered on Jan. 7. Encryption for the attack mostly centered on virtualization within the client's environment, which included 21 Hyper-V hypervisors used as the hosts, 50-100 virtual devices, and 200-300 workstations across the network. The client had base-level Windows Defender, backups were not current at the time of encryption, and the WatchGuard firewall was out of date.

The DFIR team identified that the initial access occurred on Jan. 3 using a Kali Linux system, and the initial login came from the virtual private network (VPN), indicating that the threat actor bypassed the firewall and VPN. Also, the team saw evidence of PipeMagic, a modular backdoor framework that allows for sideloading of dynamic-link libraries (DLLs) in memory for legitimate executables. In the attack, the threat actor executed an MSBuild.exe, calling on a CSPROJ file with a variable name, to establish persistence within the environment. From there, google.exe, a valid hash that called on goopdate.dll to establish encryption and command and control (C2), was executed. Finally, the threat actor used Server Message Block version 1 to spread the encryption across the virtualized environment. 

This ransomware attack demonstrated the use of malware and C2 as a new tactic, technique and procedure. These legitimate executables sideload DLLs and run in memory, making complete visibility quite difficult, and can also bypass normal antivirus. 

The team stressed the importance of knowing the legitimate activity within an environment and keeping up on patches and updates to vulnerable firewalls and VPN services, particularly during the holiday season when employees are taking paid time off. 

Notable vulnerabilities

As many as 4,313 newly disclosed vulnerabilities were reported in January. Twenty-three of the vulnerabilities were actively exploited on 15 different products, including Cisco, Microsoft, SmarterTools, Fortinet, SolarWinds, and others, and eight of those 23 vulnerabilities involved remote code execution (RCE). Proof-of-concept codes were released online for 14 of the vulnerabilities, providing increased opportunity for threat actors to exploit the products. 

As a monthly trend, the vulnerability management team discussed the exploitation of Microsoft Office via malicious rich text format (RTF) files. This Microsoft vulnerability was significant enough that Microsoft released the patch for it ahead of the Microsoft Patch Tuesday in February. In the attack, a user opens the RTF file, which triggers the download of several other malicious files. One of those files is a PNG image file that uses steganography, or hiding digital content, such as text, images, or videos, within other data to avoid detection. Once exploitation occurs, the exploit involves bundling emails and sending them to a hard-coded email address contained in one of the malicious files. The Russian group APT28 was the first to exploit the vulnerability, but given the complexity of the pathway used, a nation-state could be responsible for its development.

During Microsoft Patch Tuesday in January, 114 reported vulnerabilities were addressed, which is a high number of vulnerabilities. Eight of those were critical vulnerabilities involving RCE and privilege escalation, and three were zero-day exploits. The team discussed the Cisco code injection vulnerability that impacted multiple Cisco collaboration-type products, including Instant Messaging and Webex. In the attack, the threat actor sends a sequence of crafted HTTP requests to the management interface of the products, and if successfully exploited, the threat actor then obtains user access to the underlying operating system for the management interface and elevates it to root to gain control over the system. Cisco reported there is no workaround to the threat; therefore, a software update is required.

In February, 59 reported vulnerabilities were addressed during Microsoft Patch Tuesday. Of those 59, five were critical vulnerabilities, and six were zero-day exploits, including two privilege elevation attacks, three security feature bypasses, and one denial-of-service vulnerability. The team reminded clients about the importance of patching as soon as security updates become available.

Account compromise investigations

The security operations center (SOC) team is constantly on the lookout for compromises within an environment. The team explained the activities involved in a potential Microsoft account compromise investigation and discussed proactive actions to protect against compromises.

On an ongoing basis, the SOC team looks for common indicators of compromise (IOCs) that point to malicious activity in an environment.

• Anomalous login locations. These IOCs frequently show up as impossible travel, VPN usage, and same-session IDs. As an example, the team discussed how "ISP: Datacap Limited" is heavily featured and associated with VPN usage, so if the team sees the internet service provider (ISP) used, it raises a red flag. 

• Suspicious user agents. User agents such as BAC2ROPC (a legacy authentication protocol typically found with older iPhone email clients) and Axios are commonly used in brute-force attacks and password sprays. Threat actors also leverage the user agents to bypass multifactor authentication.

• Malicious inbox rules. These IOCs often indicate that a threat actor is trying to hide activity from the legitimate user. As an example, the team discussed how a threat actor may create a short three-character rule, look for text that includes the word "payment," and hide it in the RSS feed. This malicious activity tells the team that someone is sending emails with fake payments or invoices, which is an obvious red flag. Threat actors also attempt to quickly exfiltrate user contact information for future attacks. In addition, the team looks at Microsoft 365 logs that can show inbox rule events and provide insights into actions that occurred on a compromised account. 

The SOC team always takes proactive action to mitigate compromised accounts. Using Microsoft identity integration, the team revokes active sessions, even prior to a report being made, and initiates a password reset for a compromised account to keep the threat actor out. The team has two options to isolate an event: user isolation if there is evidence that the account is compromised and host isolation if there is evidence of lateral movement or malware on the system. These proactive actions lead to faster resolution of account compromise events.

The dangers of using OpenClaw

Any organization could have advanced artificial intelligence (AI) assistant OpenClaw installed on its network and not even know it. OpenClaw — previously known as Clawdbot and Moltbot — became very popular in January. But, in February, 34 vulnerabilities were disclosed for OpenClaw, including several high and critical vulnerabilities involving prompt injections, container escapes, logic flaws, and bypasses. If an organization has OpenClaw installed on the network, the team suggests removing it. 

Cisco and Noma Security researchers performed thorough investigations of OpenClaw and, in late January, published their findings. Both groups found that OpenClaw was a dangerous AI assistant for many different reasons:

• Trusts anything from anywhere. OpenClaw processes untrusted inputs from any messaging platform sender and any loaded context through tools, browser sessions, or other sources. Also, almost anyone can publish a "skill" and get it linked, and there are no checks and balances for skills. If a user prompts OpenClaw to perform a skill, the AI assistant will use whatever data is available to perform that skill, even malicious data. 

• Accesses sensitive data. The AI assistant can assess credentials, files, integrations, and private conversations.

• Has destructive capabilities. OpenClaw is highly capable with extensive integrations that can perform shell execution, file system modification, and browser automation.

• Requires no human oversight. The AI assistant is highly autonomous, operating as a background process without user supervision.

• Is highly privileged. OpenClaw executes with full user privileges and identity.

• Does not automatically update. OpenClaw does not have its own update system. Users must manually update the system or instruct the program to update itself when needed. When updates are applied to an OpenClaw look-alike version, the AI assistant may not function properly.

In client environments, endpoint detection and response devices (EDRs) are able to audit OpenClaw and other AI technologies. Each EDR has its own dashboard to track down processes, domain name system (DNS) requests, and network traffic such as firewalls, proxies, and DNS products. The team suggests that clients log in to the dashboards and noted that the dashboards have little tuning applied so they may include a high number of false positives. 

The team recommended a few actions clients should take to avoid problems with OpenClaw and other similar AI assistant products:

• Remove local administrative rights so users can't install OpenClaw or similar AI assistants. 

• Remind users of the organization's AI and/or acceptable use policies and encourage users to ask questions about what is and is not acceptable. 

• Attempt to control users' abilities to visit and use AI resources by using proxy traffic, managing browser extensions, and blocking apps where possible.

About the Pondurance threat intelligence team

The Pondurance threat intelligence team consists of cybersecurity experts across our organization dedicated to providing exceptional threat intelligence research and insights to optimize the efficacy of proactive threat prevention efforts, as well as threat detection and response. By monitoring emerging cybersecurity trends and collaborating with our SOC, we provide real-time insights and actionable intelligence. Through knowledge sharing and advisory posts, we empower organizations to strengthen their cybersecurity posture and foster a more secure digital landscape.